[strongSwan-dev] Trouble getting unique ip addresses from client pool....

Andrew Foss afoss at actmobile.com
Sat Apr 25 03:04:44 CEST 2015 

It appears that our ip addresses are being assigned by the XAuthName 
'actmobile', unfortunately that is not unique?

On 4/24/15 5:28 PM, Andrew Foss wrote:
> Here's our situation;
>
> ios ipsec clients, they each have a certificate with a unique common 
> name.
>
> I want to configure strongswan to give them a different ip address for 
> each client/CN, regardless of what public ip address they may arrive 
> from at the moment, it is a road warrior config.
>
> I am thinking I can write a plugin like dhcp to do it for sure, but 
> seems like I may have something in the config that is wrong. I have to 
> set uniqueids=no to get two clients to connect, which makes me think I 
> am using something else for the id, other than the cert subject name.
>
> This error line seems to indicate the peer is referred to as 'actmobile'
>
> destroying duplicate IKE_SA for peer 'actmobile', received 
> INITIAL_CONTACT
>
> in the updown scripts the PLUTO_PEER_ID does show up properly as 
> [C=US, O=strongSwan, CN=IDE-4B53-E547-4C2A-A2B7-78D2BA436307]
>
> All my clients seem to get 172.20.0.1 as their ip address and ipsec 
> statusall shows just one SA even when I have 3 dvices connected.
>
> here's the config;
>
> conn ios
> keyexchange=ikev1
> #esp=null-sha1!
> authby=xauthrsasig
> xauth=server
> #left=%defaultroute
> leftsubnet=0.0.0.0/0
> #leftsubnet=10.66.0.0/16
> #leftfirewall=yes
> #lefthostaccess=yes
> leftupdown=/opt/actmobile/accelerator/actmobile_ipsec_updown
> leftcert=serverCert.pem
> #right=%any
> rightsourceip=172.20.0.0/16
> #rightsourceip=10.100.255.0/28
> #rightcert=clientCert.pem
> #pfs=no
> auto=add
> rekey=yes
> fragmentation=yes
> lifetime=24h
> dpddelay=0
> dpdtimeout=24h
>     compress=yes
>
> here's the log output of clients connecting;
>
> IKE_SA ios[6] established between 10.199.65.236[C=US, ST=California, 
> L=New York, O=Internet Widgits Pty Ltd, OU=ActMobile, 
> CN=ipsec.corp.actmobile.com, 
> E=support at actmobile.com]...50.197.174.157[C=US, O=strongSwan, 
> CN=IDE-4B53-E547-4C2A-A2B7-78D2BA436307]
> Apr 25 00:12:43 accel charon: 12[IKE] IKE_SA ios[6] state change: 
> CONNECTING => ESTABLISHED
> Apr 25 00:12:43 accel charon: 12[IKE] scheduling reauthentication in 
> 10094s
> Apr 25 00:12:43 accel charon: 12[IKE] maximum IKE_SA lifetime 10634s
> Apr 25 00:12:43 accel charon: 12[IKE] activating new tasks
> Apr 25 00:12:43 accel charon: 12[IKE] nothing to initiate
> Apr 25 00:12:43 accel charon: 12[IKE] destroying duplicate IKE_SA for 
> peer 'actmobile', received INITIAL_CONTACT
> Apr 25 00:12:43 accel charon: 12[IKE] IKE_SA ios[5] state change: 
> ESTABLISHED => DESTROYING
> Apr 25 00:12:43 accel charon: 12[KNL] deleting SAD entry with SPI 
> c1648e6d  (mark 0/0x00000000)
> Apr 25 00:12:43 accel charon: 12[KNL] deleted SAD entry with SPI 
> c1648e6d (mark 0/0x00000000)
> Apr 25 00:12:43 accel charon: 12[KNL] deleting SAD entry with SPI 
> 0d133ab7  (mark 0/0x00000000)
> Apr 25 00:12:43 accel charon: 12[KNL] deleted SAD entry with SPI 
> 0d133ab7 (mark 0/0x00000000)
> Apr 25 00:12:43 accel charon: 12[KNL] deleting policy 0.0.0.0/0 === 
> 172.20.0.1/32 out  (mark 0/0x00000000)
> Apr 25 00:12:43 accel charon: 12[KNL] policy still used by another 
> CHILD_SA, not removed
> Apr 25 00:12:43 accel charon: 12[KNL] updating policy 0.0.0.0/0 === 
> 172.20.0.1/32 out  (mark 0/0x00000000)
> Apr 25 00:12:43 accel charon: 12[KNL] deleting policy 172.20.0.1/32 
> === 0.0.0.0/0 in  (mark 0/0x00000000)
> Apr 25 00:12:43 accel charon: 12[KNL] policy still used by another 
> CHILD_SA, not removed
> Apr 25 00:12:43 accel charon: 12[KNL] updating policy 172.20.0.1/32 
> === 0.0.0.0/0 in  (mark 0/0x00000000)
> Apr 25 00:12:43 accel charon: 12[KNL] deleting policy 172.20.0.1/32 
> === 0.0.0.0/0 fwd  (mark 0/0x00000000)
> Apr 25 00:12:43 accel charon: 12[KNL] policy still used by another 
> CHILD_SA, not removed
> Apr 25 00:12:43 accel charon: 12[KNL] updating policy 172.20.0.1/32 
> === 0.0.0.0/0 fwd  (mark 0/0x00000000)
> Apr 25 00:12:43 accel charon: 12[KNL] getting a local address in 
> traffic selector 0.0.0.0/0
> Apr 25 00:12:43 accel charon: 12[KNL] using host %any
> Apr 25 00:12:43 accel charon: 12[KNL] using 10.199.65.193 as nexthop 
> to reach 166.170.42.208
> Apr 25 00:12:43 accel charon: 12[KNL] 10.199.65.236 is on interface eth0
> Apr 25 00:12:43 accel charon: 12[KNL] deleting policy 0.0.0.0/0 === 
> 172.20.0.1/32 out  (mark 0/0x00000000)
> Apr 25 00:12:43 accel charon: 12[KNL] deleting policy 172.20.0.1/32 
> === 0.0.0.0/0 in  (mark 0/0x00000000)
> Apr 25 00:12:43 accel charon: 12[KNL] deleting policy 172.20.0.1/32 
> === 0.0.0.0/0 fwd  (mark 0/0x00000000)
> Apr 25 00:12:43 accel charon: 12[KNL] getting iface index for eth0
> Apr 25 00:12:43 accel charon: 12[CFG] lease 172.20.0.1 by 'actmobile' 
> went offline
> _______________________________________________
> Dev mailing list
> Dev at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/dev

More information about the Dev mailing list